A number of enterprises operate computer systems that maintain accounts for multiple users. In many cases, the users access the accounts from remote locations. An on-line banking system, which enables a user to remotely access checking and savings accounts, is probably the best-known example of such a system.
At a minimum, a user must enter a valid account identifier, usually an account number, to begin the access process. However, to improve security, most systems also require that the user enter a multi-digit Personal Identification Number or PIN before the user will actually be able to access the accounts and conduct transactions.
Conventionally, users entered the account number and any required PIN numbers by keying in the digits at a personal computer or other computer terminal. In the interests of making it easier for users to establish access to their accounts when a personal computer or computer terminal is not readily available, an increasing number of systems operations are giving users the option of entering account numbers and PIN values orally. Such systems, often referred to as interactive voice response systems, employ speech recognition technology to recognize spoken numbers and to convert them to an electronic form usable by the computer system.
Conventionally, a PIN is thought of only as a multi-digit number, usually four to six digits in length. Because the number is often assigned to, rather than chosen by, the user, it may have no personal significance to the user and thus be hard to remember. Many users write the numbers down rather than taking the chance of forgetting them when they need them. Keeping a written record of a PIN number, while an understandable practice, increases the risk that an unauthorized user will see the written record and become enabled to access the system that is supposed to be protected by the PIN.
System security can, of course, be enhanced by requiring that a user provide additional information unrelated to the PIN number values before the user will be considered authenticated and given access to the protected system. If the additional information has no relationship to the PIN numbers, it may be difficult for a user to recall, leading to the user to again write down all of the necessary information in a readily accessible place. Moreover, the requirement for additional information can impose a significant extra burden on the user, which is inconsistent with the original goal of making it easier for users to access their accounts.
If additional information is to be required of a user, it is desirable that the additional information be of a nature that allows it to be readily recalled, thereby reducing or eliminating any extra burden on the user.
U.S. Pat. No. 5,721,765 discloses a PIN security system which makes use of a time dimension to provide better security than is provided by a system which relies solely on entered numbers in order to authenticate a user. According to this patent, the numbers in the PIN are separated into two or more digit groups. When the user is attempting to access a PIN-protected system, the digit groups must be entered according to a pre-defined time pattern in order to positively identify the user. As an arbitrary example, assume a user has a PIN number 2468135. Such a number could be divided into temporal groups 24, 6813 and 5. The user might be required to pause at least one second between finishing entry of the first group “24” and beginning entry of the second group “6813” and to pause at least two seconds between finishing entry of the second group “6813” and beginning entry of the third group “5”. Optionally, the user might be required to enter all three numbers in the second group “6813” within two seconds.
While this system does provided enhanced security, it also requires that the user remember additional information that may not be readily recalled by the user. The net result is that user may be tempted to write down not only the number sequence but also the temporal sequence thus creating the same type of security exposure the approach was intended to overcome
There remains a need for an enhanced PIN-based security system that requires something beyond entry of only a number sequence without leading to a requirement that a user remember additional information that is user is unlikely to readily recall.